THEOS Cybernova Ep. 12 – Anna Gamvros: Navigating Privacy, AI, and Cyber Law in APAC

Show Notes

How can organizations stay resilient as privacy regulations lag behind rapid digital threats?

 

Anna Gamvros, Partner at A&O Shearman and prominent APAC privacy and cybersecurity law expert, uncovers critical insights on managing data protection, AI governance, and cyber incident response amid evolving regional laws. From deepfake technology risks and outdated privacy regulations in Hong Kong to the far-reaching implications of the new Critical Infrastructure Cybersecurity Bill, Anna expertly bridges the gap between complex legal frameworks and practical cyber resilience strategies.

 

In this compelling conversation with host Paul Jackson, Anna explores the growing necessity for modernizing data privacy laws, discusses the controversial aspects of Hong Kong's new cybersecurity legislation, and shares firsthand experience engaging boardrooms in meaningful cybersecurity preparedness. Her unique blend of legal acumen and pragmatic incident response expertise provides vital perspectives for business leaders, privacy professionals, and anyone interested in navigating today's digital complexities.

 

Whether you're managing privacy programs, advising on cybersecurity, or seeking clarity on the intersection of AI and law, this episode of THEOS Cybernova delivers indispensable strategies and forward-thinking insights.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Chapters

• 0:00: Podcast Introduction with Paul Jackson
• 2:45: Anna's Career Journey in Tech Law
• 6:55: Crisis Preparation and Board Awareness
• 12:24: IAPP's Evolving Role in Privacy and AI
• 16:35: Deepfakes and AI Threats
• 21:20: Hong Kong's Data Privacy Law Challenges
• 25:24: Critical Infrastructure Bill Controversies
• 29:37: Regulatory Enforcement Across APAC
• 32:47: The Long Tail of Cyber Incidents

Transcript

Paul : 0:01

Wherever you are in the world, welcome to the Theos Cybernova podcast. My name is Paul Jackson, your host, and before we begin, I've got a quick favor to ask from you. There's one simple way that you can support our show, and that's by hitting that follow or subscribe button on the app you're listening to the show on right now. It makes a huge difference in helping get the show out there to as many people as possible, so please give us a hand and click that button now.

Anna: 0:37

The Theos Cybernova podcast hosted by Paul Jackson.

Paul : 0:42

So here we go with yet another fantastic episode of Theos Cybernova Podcast, episode 12. I'm Paul Jackson and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, legal eagles and technologists, with a particular focus on the Asia-Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital age, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I'm delighted to welcome Anna Gambrost to the show. Anna is a partner with A&O Sherman and a leading light in the legal circles in our region. Anna, thanks so much for joining me today. Thanks for having me today. Paul, very excited to talk to you. Yeah, so first of all, a&o Sherman. So obviously this is a bit of a change last year. A&o Sherman. Could you talk us through this merger Because you know some like myself may have overlooked this.

Anna: 1:49

Yeah, very happy to. So it was a very exciting moment in our firm, or in our new firms, as I should say. We were Allen Overy, leading UK or global firm, and Sherman Sterling. The two firms have come together to really create A&O Sherman and the whole idea behind this merger was really to bring together a firm with an exceptional footprint for the UK and the rest of world with a very strong US firm, because many firms that you look at globally have either that rest of world presence or a very strong US presence, but the two together didn't exist before our merger. So by bringing together a leading US firm with some overseas presence and a leading rest of world I'll call it firm with some US presence, us presence we brought the best of the world together to create really what we think is a novel and premier law firm to provide an offering to our clients.

Paul : 2:50

Fantastic. It sounds like a real powerhouse. I mean, yeah, you must be really proud to be there.

Anna: 2:56

Very proud to be there and very proud to be part of it.

Paul : 3:03

Fantastic, yeah. So look, before we go any further, let's tell your story, right, how did your career start? I mean, you know, I've known you for quite a while now and you've always been the leading light, you know, in our part of the world. And how did you get to this point?

Anna: 3:11

Well, it all started in humble Brisbane and I like to think and this will really date me and show my age I like to think that my interest in technology law and technology issues started with the Y2K bug, so you know, back in the late 90s when we all thought that the world was going to end, when we ticked over to the year 2000,. This was a really new and exciting issue that lawyers hadn't worked on before, and I'd been doing some IP before that and a little bit of technology contract work, which was very new. But this was a new and exciting thing and we were doing something new and something with no precedent. Now nothing happened, which was great because, you know, as I was holding my brick phone on New Year's Eve, waiting for it not to work and to be called, you know we were able to enjoy our New Year's celebrations and go on, but this really made me realise that there was going to be, or that there was beginning, an area of law really focused on something new and that would always continue to change. So since that time, my career has really evolved from sort of that advisory work into technology contract work. So we were doing software contracts when they were new. Of course now they're not so exciting. That evolved into large scale outsourcing contracts where we were moving people and assets and data, and then data obviously started to become a focus.

Anna: 4:38

There was very few significant privacy laws in the world, and particularly in the APAC region. I moved to Hong Kong sort of in the middle of my outsourcing days in 2001, where we sort of had Hong Kong's privacy law. Australia had not what the privacy law it has today, but some degree of privacy law. There are a few scattered bits and pieces around the region, but not a lot.

Anna: 5:03

Sort of then, around about 2005, we had sort of career pop-up and then, you know, we had more laws pop-up in the ensuing years in Singapore and Malaysia and the Philippines, taiwan, and all of a sudden there was a really interesting body of law that really no one knew a lot about and that, you know, we were trying to work out how it applies and what it applies to. So, and that's what fascinated me again in my sort of quest for doing new things without precedent, so so that's kind of how I found I was. I was interested and no one else was doing it, so I sort of started to create an expertise and sort of carved my niche in in data protection law in APAC. Now happily there are many others that also do that now, but it was really something new and interesting. That sort of kind of rolled into. All of a sudden those clients whose data we'd been helping protect all those years started to get hacked.

Paul : 6:00

Right.

Anna: 6:01

And what do you do then? Well, I mean, you and I know well and there were no breach notification laws in Asia back when we started looking at breach notification and very much clients were like, well, do I just clean it up and not tell anyone, which actually was what could happen prior to all of these laws? So we sort of started advising clients on that and then obviously what followed very quickly and very much as a sort of a waterfall after GDPR in the UK was a, you know, a body of cyber related laws, breach notification laws, particularly when our clients in this part of the world in particular had to tell someone had to do something where they'd been the subject of a cyber incident. So hence I rolled into the cyber incident response phase of my career, which I find fascinating, and we started to work together during that period and that's become a really big part of my practice preparing clients for cyber incidents and responding.

Anna: 7:02

And now we're rolling into a new phase is obviously AI and clients are asking questions about AI and we're seeing new laws and new issues that we have to look at. So I mean, that's what I love about this practice area is that you know we've had we have to kind of roll with the punches a little bit. And and the new laws and you know, sometimes we are making it up as we go along. But you know, I feel like we're doing that with a pretty good background of having to make those interpretations and apply what we know and the laws to new situations.

Paul : 7:36

Everyone was panicking about this, and I was in the Crime Prevention Bureau at the time, the computer security unit and yeah, it was, as you're right. It just fizzled out, didn't it? We just seemed to carry on as normal, but I would never have guessed you went back that far though, anna. Well, that's good, true? Before we jump onto more privacy stuff, I was curious. You know you just mentioned preparing companies for crisis. Are you doing like, how are you doing this? Are you doing it in tabletop, or are you just helping them prepare their plans? You know, with a legal, obviously, component to that. How does that actually work?

Anna: 8:15

Yeah, look, we are helping them, obviously, prepare their plans and review their plans, trying to give them a holistic picture that you know, trying to bring together the technical teams, the legal teams, the risk teams, the management teams to understand that you know, a significant incident is a whole of organization response, and then we are working with our clients to test them in tabletops and scenarios.

Anna: 8:39

That's a really, really important part of our incident preparation, really important part of our incident preparation.

Anna: 8:48

We also have built out an incident response hotline where our clients have access to us not me personally, but our teams on a 24-7, 365 basis. We do that by engaging our clients, making sure that we understand their plan so that, if they do call the line, we can trigger their response as they had intended. And with the vendors that they want to use, be it forensics, comms, ransomware, negotiators, whoever they need we know who they need to pull in to start the immediate triage. So we're doing that as well as a lot of what we're doing is around preparing boards. As well as a lot of what we're doing is around preparing boards. Obviously, we're seeing a sharper focus now into board member knowledge of cyber incidents and also boards as a whole as the decision making and the information that they're receiving from their organisations around cyber issues. Increasing focus from regulators, increasing focus from courts looking at liability of directors and making those decisions. So that's a really important focus in helping us prepare, from board down, our clients for cyber incidents.

Paul : 9:55

It's really interesting because that actually meshes exactly with the kind of work that I'm doing now as well. Obviously, in my new role as CEO, I'm less hands-on in terms of the investigation side of things but more focused on, as you say, board briefings, board awareness, helping them to navigate the risk management of an incident and also, of course, leading tabletop exercises where they're high level, when we're working with ex-cos, etc. So it's very interesting that you're seeing the same kind of demand for those kind of services as well and, yeah, it's good to see because it just shows or demonstrates that leadership across our region are perhaps taking cyber more seriously day by day.

Anna: 10:34

Yeah, absolutely, and we're finding a fascination at board level in ransomware and what to do, when do we pay? What questions do we need to ask? And everyone loves to hear war stories and talk ransom in a cyber context For sure.

Anna: 10:55

But when you actually sit down with a board and actually ask them to talk through, what questions do they have and what's their kind of decision tree and how would they begin to address an issue if their companies were faced with a ransom? It's very interesting to see. You know, there's often a lot of fist thumping on the table. No, we don't, you know, negotiate with criminals until you start to present what the scenario could look like and the reasons why you know there may need to be considerations on both sides and the information that they need to ask for. It's very interesting. You get very interesting discussions and follow-on questions 100%.

Anna: 11:31

As I'm sure you know better than anyone else I do.

Paul : 11:34

I was fascinated because I presented to boards in all the countries well, not all, but pretty much all the countries across the region, and there's definitely a different dynamic depending on the location across Southeast Asia. But what I am seeing is a lot of questions, a lot of feedback and a lot of you know it's not something they're doing to tick a box anymore. This is now genuinely right at the top of their radar and managing those risks is essential. So it's good to see and it's encouraging as well, as is the sort of dynamic around the strengthening of laws in our region, which we'll touch on in a moment. But before we do that, you also have a secondary role, don't you? In the IAPP, and you know? Perhaps you talk us through your role there and what the IAPP does and how listeners may want to get involved.

Anna: 12:26

Yes, so the IAPP originally IAPP stood for International Association of Privacy Professionals, to cover professionals in privacy, ai governance and cybersecurity, in particular, given that many historic privacy professionals now have to cover that kind of suite of subject matter. And the interesting thing about it is the IPP in particular has had a very big focus recently on trying to get their arms around really the scope of digital laws that what was once called a chief privacy officer now has to consider as part of their roles. And we had a leadership kind of summit last year where the theme was really chief privacy officer and because everyone has an and now it's and AI governance officer and data ethics officer and cybersecurity. There are so many different parts to this role because there's so many overlapping aspects with respect to data. So the IAPP really is an organization which provides education, certification and networking for professionals in those subject matters.

Anna: 13:38

I sit on the board of directors, which I'm very privileged to do with some fantastic individuals. Over the years I've been very involved in the IAPP and sat on. We have the KnowledgeNet in Hong Kong, which I was sort of one of the founding members of, which is a networking group in Hong Kong, also on the first Asia Advisory Board, which is responsible for networking and working on issues in the region. It's at the Asia CIPPA, which is an exam on Asian data privacy and helps choose the topics for the conference in Asia, which is held in Singapore in July. Then I was on the Women Leading Privacy board as well, where, you know, obviously focused there on networking and women in the privacy profession, although the privacy profession is one of those professions where there is a large number of women in senior roles, which is fantastic. So, yeah, so now on the board, it's a five-year term and I'm in year four and it's been fantastic. So I'm headed off to the global conference that is held every year in Washington DC later this month.

Paul : 14:42

So it's a bit like a president you don't get an opportunity for a second term.

Anna: 14:47

No. Second term no.

Paul : 14:50

No, obviously we go back a long way and I'm fully aware of the amazing work that you do and I've been privileged to speak at a couple of events with the IAPP as well and it's a fantastic mix of audience and asking all the right questions, I find. So, you know, kudos to you and the entire group there. It's you know those who are more interested, especially those in Hong Kong who want to join those knowledge sessions because they are good. I remember speaking at one of those a few years back, but it's yeah, they are fantastic events, so perhaps they could reach out to you if they have any interest to learn more.

Anna: 15:23

Yeah, absolutely. And I mean I think it's great that you know the IAPP has expanded its kind of subject matter realm to include AI and cybersecurity now beyond privacy, you know, even though that was always part of the discussion. But obviously, particularly in the last few years with AI, you know we've had to pivot very quickly and they set up a separate sort of AI governance body of knowledge and there's a separate exam now with respect to AI governance. So you know it's been a very exciting time for the IAPP to grow its member base and to grow what it can do for its member base, sort of responding to what is needed and the changes that the professionals in our space are facing.

Paul : 16:08

I was going to ask you about AI later in this episode, but well, we've touched on it now, so let's continue a little bit. But I mean, this is a challenging aspect for privacy, isn't it? How do you combat the theft of identity if you like, you know, using deepfake, et cetera, technology? You know it must be one of the hot topics within the community. What are your thoughts on this? I mean, what are our solutions, or do we not really have any at the moment, given the technology?

Anna: 16:36

Well, I think I mean it's the $64 million question. You know everyone is responsible. Use of AI is what we obviously advocate as lawyers and you know as privacy professionals and you know when we're dealing with our own clients who are asking about AI and AI governance, you know you're trying to make sure that the tools and the training data and you know how their AI use cases are set up, sort of from the get-go are done in a responsible way, only using personal data where they have permission to do so, with the same as any other usage of personal data. I mean, what has become difficult is the fact that there are tools which can scoop up data at a rate and speed that we haven't been able to see before, and there is so much data about us sitting freely available on the internet that many of us have put out there ourselves, right. So not for AI tools to hoover up and create deep fakes of ourselves.

Anna: 17:36

But it's a very difficult issue to face when we can ask our own clients and organizations to be responsible. But there are always going to be unethical actors and this is another usage of personal data that's in the public domain. That is very difficult for us to control and it's obviously a lot scarier, in a way, than we've seen in the past, where we've looked at scraping or other misuses of data. So, yeah, it's definitely a tricky one, I mean from a cyber perspective. You know we're having to make it, you know, as part of a training and re-education of our clients. You know, beyond phishing now it's like looking out for things like deep fakes and, you know, creating a new, heightened level, a new level of sensitivity around questioning instructions, questioning phone calls, questioning messages even because questioning messages, even because AI is also creating better phishing emails and all those types of things. So we are definitely changing the way that we're getting our clients to even train their own staff to become aware of these risks and potential issues that they might face.

Paul : 18:40

So one of the hot topics in Hong Kong was obviously that fraud everyone knows about. Now you know the video deepfake. Yeah, are the laws keeping up with it? I mean, what's the legal system, if you like, be doing, not just Hong Kong, but everywhere, in order to perhaps deter or make it a much more severe offence to impersonate individuals using deepfake? Is that happening or is it something that's a way off yet?

Anna: 19:06

Well, it's kind of another form of it's another way for threat actors to infiltrate the systems. You know, and it's. I mean we know that laws aren't stopping threat actors from using ransomware and that there are definitely avenues that law enforcement follows to try and find the threat actors, but I think that's still the response. All of these things are illegal. You know, to impersonate someone, to use impersonation to appropriate funds, you know they're all illegal, but it's very difficult, as it is in any other kind of cyber incident, to find the perpetrator. Yes, sure, and I mean you know that better than anyone else.

Paul : 19:47

I know exactly, yeah, right.

Anna: 19:49

And this becomes the issue because the perpetrators are even more hidden when they're using deepfake technology, to you know.

Paul : 20:06

Yeah, I don't want to deviate away from corporate sort of work, but you know, I was just in the uk and in the news there was a sad story of a teenager, you know, committing suicide because somebody created deep fake of that girl and you know, and well, in compromising positions and uh, and you know, those things are only going to increase, aren't they, unless something is done. But what can be done?

Anna: 20:19

yeah, look, I mean as a mother as well, I worry about these things. You know any parent does, and we know that children of the generation that our children are, they love to post videos and photos and all of the material that can be used for deepfake purposes, and so, you know, I remind my children that that could happen and that's what that data could be used for. I mean, obviously I'm probably more sensitive to it than many, but yeah, I mean, on that level it's incredibly scary.

Paul : 20:48

It definitely is.

Anna: 20:49

It's another threat that you know that we have to be very, very aware of, and it's again, it's education.

Paul : 20:54

Education. That's what I was about to say.

Anna: 20:56

Whether it's for our own families or for employees of companies right.

Paul : 20:59

Yep, employees of companies, right? Yeah, unfortunately it's like all these scams, frauds etc. It all boils down to education at the end of the day, because unfortunately, as you rightly say, the laws aren't going to deter them and it's difficult for enforcement. So education is key. All right, so let's switch gears slightly and talk about data privacy laws in Hong Kong.

Paul : 21:20

Now this is something that people moan about constantly. Because, well, I mean, I'm trying to cast back my memory, but I do remember it must have been around 1997 and I haven't got a cheat sheet in front of me so I don't know but because I remember very well that at that time I was moved in the Hong Kong police into a new unit that had to deal with telecommunications companies. The mobile phone companies were just setting up around 96, 97. And I was asked to lead that unit because I had a telecoms background and, of course, I had to deal with the new privacy law that had just come in in order to get data off those companies. And so I read that one backwards and forwards, but it hasn't changed much since then, and that's 97 or whenever it was right. So what are your thoughts on the data privacy laws and when are we going to see a modernization, an update on these it's another 64 million dollar question.

Anna: 22:09

So, yeah, you're right with your timing, with the only and the only real updates that we've seen was around 2008, I think, with the, the octopus incident, um, where we got, um, our direct marketing laws. I think it was 2008, 2008, 2010, and they are still some of the most stringent direct marketing laws in the world in terms of the information and consent requirements. We have to give very, very specific information in Hong Kong about how we use data for direct marketing purposes. It's quite contrast to what we need to do around data collection protection for any other use of data.

Anna: 22:47

In Hong Kong, we then saw the doxing laws. That came in a few years ago and they were supposed to be part of a suite of dates to the law. There was going to be new requirements around data retention breach notification. There was going to be new requirements around data retention breach notification. There were going to be some new powers for the privacy commissioner, some new penalties and the doxing laws. So we got the doxing laws, which are again quite novel to Hong Kong. There are doxing laws in other parts of the world, but ours are very unique and the latest is that the rest of the reforms are not going to follow. So we're kind of back with the blank slate. But Hong Kong's law as they were slated back then. So it doesn't mean that there won't necessarily be reforms, but those have moved on and they had come in and I do think it was five years ago I think it was 2020 when we first got wind of reforms.

Anna: 23:39

Gdpr was 2018. So it was sort of like, well, let's have a look at that. They cherry picked a few things from GDPR and that was what was going in. We've seen other laws in the region come in now that are far more stringent and far more comprehensive and far more GDPR-like. But yeah, so we're in desperate need of an update. I think Hong Kong is seen as not a particularly safe place from a data collection, a data security perspective, not because of security as such, but because the laws aren't really providing that protection. There's really no restrictions on cross-border data transfer, which is really key. No breach notification, which I think we really do need desperately in Hong Kong.

Paul : 24:26

Yeah Well, companies aren't notifying, are they?

Anna: 24:27

They're hiding all incidents and it's not good for well, customers, consumers, partners, et cetera, and so, yeah, and the penalties are so low that some clients not my clients, of course, but some organizations take it as cost of doing business to get a fine in Hong Kong, and that's just not how we want to be promoting data protection in Hong Kong or in the region. And I do think there are many, many organizations that care very deeply about data protection in Hong Kong, but there are many that don't, because they don't have the framework or the stick to keep them in line. And it's not until those organizations often suffer an incident that you really see how poorly they handled often quite sensitive data.

Paul : 25:10

Right, so we are heading down the track of notification, though, because obviously the new critical infrastructure bill cybersecurity bill came in just recently, and that does require a subset of organizations to notify should they have a breach. What are your views on this new law? Because it has had a bit of controversy, hasn't it?

Anna: 25:27

Yeah, it has. I mean, I think, in principle, critical infrastructure should be held accountable for its cybersecurity posture and I think for those bodies and organizations in Hong Kong that are providing critical services, then they should be required to make sure that they can have continuity of those services and that they're protecting Resilience.

Anna: 25:50

I guess yes, exactly resilience, that they're protecting the services from threat actors and from threats that could disrupt Hong Kong.

Anna: 26:00

I think in principle that's a solid principle. I think where there has been some well a lot of debate and questions asked is around the extraterritoriality, how far the reach of the law goes. There was much in the guidance saying it's not an extraterritorial law. However, the law can allocate as a critical computer system systems which are accessed from Hong Kong. So that indicates that it could touch well, it does touch systems that are outside from Hong Kong. So that indicates that it could touch well, it does touch systems that are outside of Hong Kong. So I think this is where there's some concern, because when you've got systems outside of Hong Kong they may also be subject to other laws and then you get sort of like your conflicts of laws positions, because you've got one legal regime wanting the organisations to take one set of measures and another to do another. So you know there's some concern there and then, yeah, so I mean that's one of the sort of the key concerns that we've seen from our clients.

Paul : 27:00

Do you think Hong Kong enforcement will have the necessary stick, if you like, to enforce this, Because it's a whole new department being set up, isn't it to police this, if you like?

Anna: 27:09

It's a whole new department being set up, isn't it to police this, if you like? Yeah, and I think that's what I was going to get to was that there's obviously been some discussion about this new body and whether they will have the right set industries cybersecurity, whether they'll have the right qualifications to make the right assessments as to what should be in and out of scope, as well as, you know, the right level of investigation powers and the right understanding of what they should be doing. So, yeah, so I think that's the other area where there's been concern around you know a brand new regulator.

Anna: 27:47

We haven't had one for some time, that's right, it's going to be interesting isn't it? So it's going to be very interesting.

Paul : 27:52

Because I'm actually sat in Manila at the moment and you know the Philippines. I don't know how much work you do around the region, but you're obviously aware that the Philippines has one of the tightest or strictest data protection laws, but a failure to enforce it in many ways. Yeah, I guess that's endemic of the whole region in many ways. And look, I'm law enforcement background and I know how difficult it is to get the right talent and capabilities to actually properly enforce this. It's hard enough for us to find talent in the private sector, never mind in law enforcement.

Anna: 28:25

Yeah, look, and you're absolutely right, and I think there's not a country in the region which could do with a lot more resource and funding for their data protection or cybersecurity authorities, because they are tasked with a big job.

Anna: 28:36

One significant incident in a country can unhinge a whole regulator, as they have to focus on that investigating that, understanding what the organization did, making sure that the containment measures are in place, did making sure that the containment measures are in place. And we've seen it in almost every regulator in the region, because many of them are very new, that they don't have the right skill set to ask the right questions, to investigate, to even make the right directions or enforcement measures at the end of it, because they just really don't know what they're dealing with. Now we're seeing a huge uptick in maturity as the regulators do settle in. Some of those that have been in place a lot longer now they're much more predictable when you're dealing with them, can kind of know what's coming down the line. But some of the newer regulators it is still very difficult to know how an investigation will roll through and what powers they will exercise or use and how long they will take to do the investigation as well. We've seen some take seven years to do the investigation.

Paul : 29:40

Because that's so challenging for you, isn't it? Because you'll be guiding clients and they'll be asking exactly these kind of questions what's going to happen with the authorities, how long is it going to take, et cetera and when you're sort of a bit up in the air, and this must be extremely challenging for you.

Anna: 29:54

Absolutely, and I mean you would know better than anyone else that the life of an IT professional in an organization is often not seven years. So when you've got an investigation that's taking that long, often it's the lawyers that are the only ones that are still there. Right, the CISOs moved on, the IT staff have moved on, the security staff are no longer there. Even the legal teams are no longer there. We're often re-briefing as to why these questions are still being asked Seven years later, the only ones with the knowledge of the incident. And that's very difficult because the questions are very specific, that regulators ask around cyber incidents and you know you want to make sure that you can answer them because they're a regulator, but they take a long time to ask the questions. They're not going to get the best answers.

Paul : 30:39

Yeah, definitely so. I've been involved in a number of you know, obviously, very protracted and complex investigations. Sing your praises well, in general as good lawyers, so critical, so critical to continuity and to helping the clients out of the mess that they've ended up in. And yeah, I've got to say I've never seen a complex incident where the lawyers haven't played an enormously key part. But obviously it's getting to know that before an incident happens, that is sometimes the challenge, right?

Anna: 31:11

Yes, and thank you for saying that, because that's often what we have to convince people of, that we do that we, even though we're lawyers, we do have value in a cybersecurity incident, and I was just talking to a CISO yesterday, and one of the things that we were talking about and this is a CISO that had been through a number of significant incidents was the tale and you and I have talked about this as well, paul is the tale of regulatory investigations and legal follow-up that follows an incident.

Anna: 31:39

We all know that the security teams, the CISO, they are focused on an incident, on containment, on recovery, and then let's move on. But then what many of them who've never been through an incident before don't realize is that there could be this huge tale of asking questions about what happened before the incident and what have you done since, and distracting, as a CISO would say, from their job of containment and recovery. However, they're just not prepared for that piece, and I think that's one of the things that I often talk to CISOs and others about is that you really need to know that this is also going to be a drain of resources during and after an incident, because the regulators will come knocking and they want your time, and it's often the piece that no one realizes is going to happen.

Paul : 32:27

Yeah, that's right, and that's why anybody listening to this should be reaching out to Anna and perhaps myself to talk about preparation and crisis. You know resilience and preparedness, but, anna, I've got to close off because we are butting up against time. It's been a fun. We could talk all day about this stuff, but it's been a fascinating discussion. But I always ask my guests one last question, and I have no idea what you're going to say. Here we go. As a music lover, this is my way of unwinding and I love my vinyl records and I've got to ask you what do you listen to? Are you a music fan at all? Do you listen to music? And if so, what do you listen?

Anna: 33:03

to I am, I am. I am a heavy metal fan. Whoa.

Paul : 33:08

That's awesome fan.

Anna: 33:15

Whoa, that's awesome, yes, so the last band I saw was metallica boom and yep, I'm going to see them again, uh in brisbane later this year. So so, yes, uh, yes, I'm a, I'm a heavy metal fan, so that's that's what I listen to, to unwind, which some would say it probably doesn't unwind you, but it it makes me feel good.

Paul : 33:27

So well, it might surprise Anna that I've got a fair amount of heavy metal in my collection as well, so I do enjoy some louder music. So great to hear. You've really taken me by surprise, but, anna, thank you so much for joining me today. Anna and I do hope we can maybe do another episode in the future, because we've got a lot to talk about this and things move so fast, especially in the AI space.

Anna: 33:51

I'd love to Thank you.

Paul : 33:52

Paul for having me today. Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was Ian Carlos and me, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai. The Theos Cybernova podcast and W4 Podcast Studio in Dubai.